schannel bug

[Andrew Bartlett]

On Sat, 2003-09-27 at 00:31, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Can someone who worked on the schannel code provide some feedback
> on bug 309?
> 
> I'm seeing an rpc fault in the logs (and a "procedure is out of
> range" error message on the client).
> 
> process_incoming_data: Start: pdu_received_len = 0, pdu_needed_len = 304,
> incoming data = 304
> process_complete_pdu: processing packet type 0
> 000000 smb_io_rpc_hdr_req req
>      0000 alloc_hint: 000000f4
>      0004 context_id: 0000
>      0006 opnum     : 0002
> data 256 auth 32
> 000108 smb_io_rpc_hdr_auth hdr_auth
>      0108 auth_type    : 44
>      0109 auth_level   : 05
>      010a padding      : 0c
>      010b reserved     : 00
>      010c auth_context : 000b1ca8
> Invalid auth info 68 or level 5 on schannel
> process_request_pdu: failed to do schannel processing.
> set_incoming_fault: Setting fault state on pipe NETLOGON : vuid = 0x64
> process_complete_pdu: DCE/RPC fault sent on pipe lsass
> set_incoming_fault: Setting fault state on pipe NETLOGON : vuid = 0x64

Yes, it's possible to get some domain clients into a state where they
will refuse to 'seal' the schannel connection, only sign it.  We don't
currently know how to only sign it (we are close - I have most of the
code there, but it doesn't quite work yet :-).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030926/ed6dfdcc/attachment.bin